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(U) BIOS implants are firmware written which reside in a computer's BIOS and perform some function. 
Though not necessarily malicious, implants can be used to conduct CNA and CNE .*^-^ 

(U) BIOS attacks and implants have been used and are known by both state and non nation-state actors. 
There have been presentations on them in previous Black Hat and DEF CON conventions.LOJACK for 
laptops is an optionally manufacturer-installed BIOS implant for Dell laptops.BIOS attacks can even be 
traced back at least to the Chernobyl virus in 1998.^-^ 
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[edit] (U) Key Findings 

• (U) Using a BIOS implant for CNE is more difficult than for CNA. Without specific information about 

the targeted system(s), the implant is much more likely to prevent proper system booting (CNA).^ 

• (U) When using a BIOS implant for either CNE or CNA by remote means, there must be an initial 
infection by traditional malware. The intruder still needs to obtain administrator or root access. Supply 

chain and insider threat are both still possible. 

• (TS//SE/REL TO USA, FVEY) There are currently no ways in use to detect a BIOS infection outright 
on NIPRNet . The only way we would see a BIOS infection using current methods would be indirectly, 

through network traffic generated when the implant phones home.^ 

• (U//FOUO) The main reason for introducing malware into an expansion card (or BIOS) is to maintain a 
persisting presence through typical methods of system rebuilds. In addition to being immune to hard 
disk reformatting and OS reinstallations, some BIOS implants can survive a flashing of the BIOS by 
hiding in the BIOS’s free space. Graphic, sound, and network card firmware could provide further 
hiding places. “Graphic cards have been subverted to support distributed brute-force password 
breaking. Network cards could be used to create covert channels. Security researchers have shown that 
sound cards can be controlled by malware to emit frequencies beyond normal hearing range designed 

to exfiltrate data.”^ 


[edit] (U) Key Judgments 































• (TS//SI//NF) PLA and MAKERSMARK versions do not appear to have a common link beyond the 
interest in developing more persistent and stealthy 

• (TS//SI//NF) Among currently compromised are AMI and Award based BIOS versions. The threat that 
BIOS implants pose increases significantly for systems running on compromised versions. 
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[edit ] (U) Virus attacks 

(U) There are at least three known BIOS attack viruses. 

leditl (U) CIH 

(U) The first was a virus which was able to erase Flash ROM BIOS content, rendering computer systems 
unstable. CIH . also known as " Chernobyl Virus ", appeared for the first time in mid-1998 and became active 
in April 1999. It affected systems' BIOS and often could not be fixed on their own since they were no longer 
able to boot at all. To repair this. Flash ROM IC had to be ejected from the motherboard to be reprogrammed 
somewhere else. Damage from CIH was possible since the Virus was specifically targeted at the then 
widespread Intel i430TX motherboard chipset, and the most common operating systems of the time were 
based on the Windows 9x family allowing direct hardware access to all programs. 

(U) Modem systems are not vulnerable to CIH because of a variety of chipsets being used which are 
incompatible with the Intel i430TX chipset, and also other Flash ROM IC types. There is also extra 
protection fi:om accidental BIOS rewrites in the form of boot blocks which are protected from accidental 
overwrite or dual and quad BIOS equipped systems which may, in the event of a crash, use a backup BIOS. 
Also, all modem operating systems like Linux . Mac OS X . Windows NT -based Windows OS hke Windows 
2000 . Windows XP and newer, do not allow user mode programs to have direct hardware access. As a result, 
as of 2008, CIH has become essentially harmless, at worst causing annoyance by infecting executable files 

and triggering alerts from antivims software. Other BIOS vimses remain possible, however:since most 
Windows users run all applications with administrative privileges, a modem CIH-like vims could, in 




























principle, still gain access to hardware. 


fedit l (U) Black Hat 2006 

(U) The second one was a technique presented by John Heasman, principal security consultant for UK based 
Next-Generation Security Software at the Black Hat Security Conference (2006), where he showed how to 
elevate privileges and read physical memory, using malicious procedures that replaced normal ACPI 
functions stored in flash memory. 

feditl (U) Persistent BIOS Infection 

(U) The third one, known as "Persistent BIOS infection", was a method presented in CanSecWest Security 
Conference (Vancouver, 2009) and SyScan Security Conference (Singapore, 2009) where researchers Anibal 

Sacco^ and Alfredo Ortega, from Core Security Technologies, demonstrated insertion of malicious code 
into the decompression routines in the BIOS, allowing for nearly full control of the PC at every start-up, even 
before the operating system is booted. 

(U) The proof-of-concep t does not exploit a flaw in the BIOS implementation, but only involves the normal 
BIOS flashing procedures. Thus, it requires physical access to the machine or for the user on the operating 
system to be root. Despite this, however, researchers underline the profound implications of their discovery: 
“We can patch a driver to drop a fully working rootkit . We even have a little code that can remove or disable 

antivirus.”^ 
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[edit] (U) Additional Reading 


• (S) DIA : Defense Intelligence Digest: BIOS: China's Covert Cyber Capability: 14 Oct 2010 (A- Space 
required) 

• a TOIJCHWOT F - NS ANet Wikiinfo page 

• (U) STROMTTMR RTOS Action Plan Status - NSANet Wikiinfo page 
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